It’s natural. Mistakes are made in security everyday, causing companies scrambling to recover from breaches that have compromised some of, if not all, important corporate data.  It’s also apparent that most breaches occur from mistakes that could be avoided. 

The five following mistakes are the most common.   

MISTAKE NUMBER 1: NOT KNOWING WHERE YOUR SENSITIVE DATA RESIDES

A lot of enterprises and their chief security officers are unaware of where their sensitive data resides. This is a large problem because it forces a reactive approach to securing their data.  Even worse, they struggle with the question of what data was compromised.  Many regulations, including the Payment Card Industry standard, “scope the environment” for sensitive data as the first step in determining the complexity to secure or become compliant.  Once process mapping has occurred, companies can apply appropriate security to the “segmented environment” and manage the associated risk. Gramm-Leech-Bliley (GLBA) requires all financial organizations, including credit unions, to perform a risk assessment.  Part of any risk assessment is to perform a mapping to high value business process; map the data associated and correlate it to the underlying infrastructure, thus producing a true identification of risk.

As with all regulations and security frameworks, the ability to respond to a breach is critical. Performing a risk assessment or process mapping makes it much easier to respond.

MISTAKE NUMBER 2: NOT CLASSIFYING DATA

What type of data do you store, process or transmit that should be protected? Most enterprises do not classify their data, hence they protect critical data the same as non-sensitive data.

One area that the federal government has excelled in for many of years over the private sector (commercial) is classification of data.  The federal government has invested significant funds to protect classified data.  An integral part of classification of data is compartmentalizing.  Simply put, it is splitting up or segmenting data based on type.  Understand what data you store, process or transmit (Mistake number 1), then you can group systems and business processes that only use those data elements.  In some instances, you may have several data elements that are used.  When this occurs, the ability to cross matrix data security requirements (maybe regulatory also) becomes essential.

MISTAKE NUMBER 3: NOT SECURING DATA THROUGHOUT ITS FULL LIFE SPAN

A common misconception among enterprises and their security operations is that once the data leaves their “control” they no longer have an obligation to protect it.

A very easy way to define ownership of data is if the data originates with you, you own it, PERIOD!  This author’s long time mentor and now CISO of Diebold, Scott Angelo, would also say “cradle to grave,” you must protect the information until it is properly destroyed or rendered unusable.  A good example is a commerce site. Developed by a third party Web company, hosted by a hosting provider and managed by a managed service company, in this relationship all parties share in the responsibility of securing the data.

MISTAKE NUMBER 4: COMPLIANCE-BASED SECURITY

Some companies are still waiting for regulatory compliance to drive their security organization and, consequently, their budgets. It is this author’s belief the audits audit and security secures.

This means that using regulatory compliance as a primary driver and framework for securing the enterprise will never properly secure the data. The biggest problem with security today is obtaining budget. This can easily be solved by presenting the risk to top management and allowing him or her to accept the risk or mitigate (obtaining budget) the risk.  Either way you do not own the risk anymore.  However, to understand the risks, you must perform frequent assessments and consistently report changes in the overall risk posture. 

MISTAKE NUMBER 5: HAVING COMPANIES WITHOUT EXPERTISE HANDLING SECURITY

Well this seems like a no brainer, but there are some companies that rely on their security from their service providers. While this has its economical advantages, it will not make the enterprise secure.  Having a security firm that specializes in information protection, specifically, the data you are trying to protect, will greatly increase your return on investment.